Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Musician Manager
v1.1.0AI Band Manager skill for musicians. Use when handling any music industry task — venue booking outreach, social media content, release planning, setlist mana...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's features (venue outreach, social posting, calendar, contract review, video generation, telephony) are consistent with a band-manager purpose. However, it lists many integrations (Telegram/WhatsApp, Postiz, ElevenLabs, Kling AI, Google Calendar, Email and references other skills) that would normally require credentials or explicit instructions for access; those are not declared anywhere in the metadata.
Instruction Scope
SKILL.md stays on-topic for music-management tasks and does not instruct the agent to read arbitrary system files or hidden locations. It does, however, expect the agent to perform potentially sensitive actions (sending outreach emails, accessing calendars, handling fan/contact lists, making AI phone calls, analyzing contracts). Those operations require access to user data and external services but the skill gives no detail on how credentials will be obtained or how user data/privacy is handled.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes on-disk execution risk. No downloads or package installs are specified.
Credentials
The skill declares no required environment variables or primary credential but claims integration with many external services that normally require API keys, OAuth tokens, or account access. The lack of declared credentials is disproportionate and opaque — you should expect at minimum access requirements for email/SMTP, calendar (Google OAuth), social posting service tokens, telephony or voice-service credentials, and any third-party AI/video services.
Persistence & Privilege
always:false and normal autonomous invocation settings are used. The skill does not request persistent system-level changes in the metadata. Note: if granted broad credentials, autonomous invocation increases blast radius, but autonomous invocation alone is not unusual.
What to consider before installing
Before installing or enabling this skill, ask the publisher for: (1) source code or a homepage and an author identity; (2) an explicit list of required credentials/env vars and the minimum OAuth scopes needed for each integration (email/SMTP, Google Calendar, Telegram/WhatsApp, Postiz, ElevenLabs, Kling AI, any telephony provider); (3) how credentials are obtained (interactive OAuth vs. asking you to paste long-lived secrets) and where they are stored; (4) privacy/data-retention policy for fan/contact data, voice call logs, contracts, and analytics; (5) whether the skill will call other skills (Postiz/Larry, ai-music-video) and what credentials those other skills require. Do not provide account-level or long-lived secrets without least-privilege scoping and a clear trust signal (source repo, publisher identity, or reviews). If you still want to test it, use throwaway/sandbox accounts and deny broad permissions until you confirm behavior. If the publisher cannot provide clear answers, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk971xa4bq75thf126yfg9h8xe583nyn2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.